Re: Patch to add DLT_AX25 handling to libpcap

[Richard Stearn <richard () rns-stearn demon co uk>]

Guy Harris wrote:
> Richard Stearn wrote:
>
> > Adding DLT_AX25_KISS is the obvious way to go with the exception that 
> > Linux
> > identifies AX.25 in KISS packets as DLT_AX25 (protocol 3).
>
>
> "Identifies" in what sense?

As in returns 3 as an identifier of the protocol type.

> I don't see any use of DLT_AX25 in the 2.6.20.4 kernel.  It appears to 
> use ARPHRD_AX25 as the arphrd value for AX.25 adapters, and that happens 
> to have the same value as DLT_AX25 because the first few DLT_ values 
> were ARP hardware type values, but libpcap doesn't expose ARPHRD_ values 
> to applications - it maps them to DLT_ values.

Fine, same value different meaning.

> pcap-linux.c could map ARPHRD_AX25 to DLT_AX25_KISS, which means AX.25 
> captures done on Linux will have a file type of DLT_AX25_KISS.

As in:

declare DLT_AX25_KISS as X

and change:

pcap-linux.c
  1140          case ARPHRD_AX25:
  1141                  handle->linktype = DLT_AX25;
  1142                  break;

to
pcap-linux.c
  1140          case ARPHRD_AX25:
  1141                  handle->linktype = DLT_AX25_KISS;
  1142                  break;

That would be good, tells higher levels exactly what the packet is.

To date I have found AX.25 encapsulated in three ways:
        AX.25 in UDP & TCP - pure AX.25
        AX.25 as passed from the MKISS driver with a 1 byte header
        AX.25 in ethernet (BPQ) with a 2 byte header

so your point about dissecting pure AX.25 was well made and DLT_AX25_BPQ
may be needed as well.

The AX.25 in ethernet (BPQ) uses an ethertype of 0x08ff, probably
unregistered.

I need to look a lot more closely at the AX.25 protocol driver in Linux.

Thanks for your patience.
--
Regards
        Richard
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.